From: Keir Fraser <keir@cohodata.com>
Date: Sat, 19 Apr 2014 19:59:01 +0000 (-0400)
Subject: Fix: Use after free in rcu_barrier()
X-Git-Tag: v0.9.0~92
X-Git-Url: https://git.lttng.org/?a=commitdiff_plain;h=81dd9134333f1c00117cf5addd2f193b89998201;hp=81dd9134333f1c00117cf5addd2f193b89998201;p=userspace-rcu.git

Fix: Use after free in rcu_barrier()

Do not free the rcu_barrier() completion struct until all threads are
done with it.

It cannot reside on the waiter's stack as rcu_barrier() may return
before the call_rcu handlers have finished checking whether it needs a
futex wakeup. Instead we dynamically allocate the structure and
determine its lifetime with a reference count.

Signed-off-by: Keir Fraser <keir@cohodata.com>
[ Edit by Mathieu Desnoyers: use urcu/ref.h. Cleanup: use
  uatomic_sub_return() rather than uatomic_add_return() with negative
  value. ]
Signed-off-by: Mathieu Desnoyers <mathieu.desnoyers@efficios.com>
---